Thursday, April 30, 2009

Pruning Old Computer Accounts in AD

Many domains have old computer accounts that are no longer in use. The windows server 2003 support tools has a utility that lets you view old accounts.

To view computer accounts that have not been logged into for 8 weeks type:
dsquery computer -inactive 8 -limit 0

To delete computer accounts that have not been logged into for 8 weeks type:
dsquery computer -inactive 8 -limit 0 dsrm

If your running Windows 2000 Domain Functional Level you will recieve the following error:

dsquery failed:The parameter is incorrect.:Windows could not run this query because you are connected to a domain that does not support this query.

This is because Windows 2000 Domain Functional Level does not lastLogonTimestamp attribute on user and computer objects.

2 comments: